What helps against dynamic phishing?

Phishing continues to be a major issue in IT security. Cyber criminals are increasingly using new, dynamic methods to slip their fraudulent emails past installed security filters unnoticed in order to deceive their victims and misuse them as door openers for malicious activities. In this article, you will find out more about the latest tricks and how you can protect your company even better against serious deceptive maneuvers.

Undetected by the automatic defense

The latest phishing campaigns paint a worrying picture: Attackers’ emails are increasingly bypassing the company’s automated security controls. The first hurdle that fraudulent messages have to overcome on their way to the victim is the so-called sandbox analysis. This involves examining the email for possible threats in a controlled environment so that the real systems are not compromised.

In order to circumvent email sandboxing undetected, attackers integrate a link to a trustworthy website, for example. At a later stage, however, the stored content is changed in such a way that the recipient is directed to a malicious website that then steals access data or installs malware.

The attackers use these tricks

The days when phishing attacks exposed themselves through grammatical weaknesses and spelling mistakes are over thanks to AI-supported translations. Attacks are also becoming increasingly sophisticated. Criminal phishing specialists use these tricks to smuggle their fraudulent emails past the defense mechanisms:

1. Security solutions are deceptive: The attacker first directs the user to a known, secure website. Without a suspicious link or attachment, the email passes through the security filters of portal and sandbox solutions. Later, the content of the linked website is then changed or the user is redirected from there to the phishing page.
2. Use Office services: The phishing emails refer to common cloud platforms and services such as SharePoint, OneDrive or Confluence and thus feign trustworthiness in order to persuade users to click on the links or file attachments they contain.
3. Take over email accounts: The attackers use a compromised email account of a legitimate user and send phishing emails to suppliers, partners or customers as a trusted sender.

Why conventional detection methods fail

Phishing attacks can also evade detection by conventional security measures because the campaigns are dynamically designed. Among other things, they exploit the fact that the links contained in the email are only scanned by conventional security systems when they arrive. If the link refers to a legitimate website, it is classified as safe. The attackers’ trick: the original content is initially hosted on an official platform such as SharePoint. However, the actual content is stored on another site that is not yet directly accessible. With a time delay, the attacker changes the linked target page or redirects the user so that they suddenly end up on a phishing page. Due to the time delay, the sandbox analysis could not issue a warning before the change.

Solutions

As with other cybercriminal methods, there is no absolute protection against phishing attacks. However, there are a number of measures that minimize the risk. These include

• Multi-factor authentication (MFA): In addition to knowledge components such as username and password, MFA requires an additional possession component for user authentication, e.g. a token, a smartcard or biometric data. A captured password is therefore no longer sufficient for unauthorized access.
• User sensitization: Through continuous training, the users themselves become an important part of the defence. The aim of the training is to recognize phishing attempts and to behave correctly.
• Enhanced e-mail security: e-mail scanners with a multi-stage checking mechanism examine messages, attachments and links not only when they are received, but also with each subsequent click and at regular intervals. Phishing attempts can thus be detected and blocked at an early stage.
• Sandbox solutions: Email sandboxing is essential as a basic tool, as it isolates incoming messages and checks them in a virtual environment before they are forwarded to the recipient. All attached files and embedded links are examined for their behavior after opening. If a potential threat is detected, the email is quarantined. To further increase effectiveness, sandboxing is also combined with spam filters or several sandboxes are connected in series (sandbox arrays).
• URL protection services check websites when they are clicked on using real-time analyses. In the event of suspicion, a warning is issued or access is blocked.

More effectiveness through human expertise

The most effective protection against phishing attacks is a multi-layered, dynamic approach that goes far beyond traditional email sandboxing. The human factor is crucial in a holistic approach like SECUINFRA’s:

• Simulated work environment: In order to simulate a regular user workstation for the phishing URLs, we simulate an authentic customer environment. In a semi-automated process, we analyze the behavior of the phishing links and detect URL content changes and redirects, among other things. The role of the analysts is primarily to verify suspicious results and manage complex threats.

Extended URL monitoring: In addition, we continuously scan the Internet for suspicious changes in connection with URLs such as redirects and content changes. Here too, the largely automated monitoring is supplemented by analysts who keep a critical eye on suspicious URLs in order to further increase the hit rate and avoid false alarms.

• Integration with Microsoft security tools. We use the following basic tools:
  • Microsoft Defender scans emails for potential security risks before they appear in the user’s mailbox and blocks malicious attachments or links.
  • Microsoft Defender XDR enables users to actively respond to detected cyberattacks.
  • Microsoft Sentinel collects and correlates information from multiple sources and performs analysis to detect phishing patterns and other security risks. For optimal threat management, it automates tasks, creates interactive workbooks and reports, and provides advanced SOAR (Security Orchestration, Automation and Response) capabilities.
  • Microsoft Defender for Endpoints detects malware before the user executes it. In addition, our experts help to better understand the attack by analyzing the malware and device history and, if necessary, blocking the hash in the entire environment.
  • Defender for Identity / Entra Identity Protection protect network identities by preventing attackers from penetrating the network. Microsoft Defender for Identities protects local Active Directory accounts and Entra Identity Protection protects Azure Entra accounts. The ability to assess, report and handle risks associated with user activity and logins is a good complement to multi-factor authentication.

• Distributed analysis platform: SECUINFRA’s distributed analysis platform uses multiple web crawlers to simulate realistic user interactions with phishing URLs. To detect deception strategies, the URLs are viewed from different angles and their activity is monitored. In this way, we continuously improve our ability to detect and defend against advanced phishing tactics.

Conclusion

Defending against increasingly dynamic phishing methods requires a multi-layered security strategy that combines advanced technologies with continuous monitoring by experienced analysts. SECUINFRA’s holistic approach meets these requirements with a tightly meshed solution network of tools, environment simulation, standard Microsoft tools and a distributed analysis platform. However, one thing must not be forgotten: In view of the constantly changing threat situation, it is essential to keep your own infrastructure up to date, regularly review your security procedures and continuously train your staff. The experts at SECUINFRA will be happy to support you in all these matters at any time. Just ask us!

Pictures:

Dynamic phishing attacks sometimes deceive even security experts.

Enhanced approach with additional SECUINFRA expertise exposes phishing attempt with time-delayed modifications.